NEW YORK (AP) — The top Democrat on the Senate Banking Committee is calling for the credit agency Experian to disclose more details about a data breach in which personal information on millions of T-Mobile customers was stolen.
In a letter obtained by The Associated Press, Ohio Senator Sherrod Brown asks Experian to explain how the breach occurred and what changes Experian was making to its systems to stop it from happening again.
“Protection of this information is of the utmost importance, especially because the scope of the information is vast and virtually no consumer can apply for credit without entering your system,” Sen. Brown wrote in the letter, which was sent to the company Wednesday.
Experian said earlier this month hackers had broken into a server containing data on T-Mobile customers. The breach potentially exposed personal information of 15 million customers and possible customers, including Social Security numbers, who might have applied for T-Mobile cell service between September 1, 2013 and September 16, 2015.
It was the latest high-profile company data breach in recent years, following attacks on Home Depot, Target and others.
Experian’s main consumer credit database was not broken into, Experian says, and T-Mobile and Experian are providing two years of credit monitoring services and identity theft recovery services for free.
Along with increased disclosure about the breach, Sen. Brown also asks Experian to provide “credit freezes” to affected customers for free. Credit freezes allow customers to restrict access to their credit reports in cases of potential identity theft, but typically credit agencies charge for this service. Brown also asked Experian to explain how well its credit monitoring and identity theft protection services work.
Data breaches, identity theft and cyber security have become a priority as more companies have disclosed breaches of their systems. Lawmakers have attempted to legislation to address the issue, including a bill that would require companies to inform their customers about a breach within 30 days of learning about it themselves.
Experian did not immediately return a request for comment.
